General Data Protection Regulation (GDPR) - should you be collecting personal data?
(13 April 2018)
Protecting and managing personal data brings responsibilities for both the University and for the individual. Often the collection of personal data is unnecessary. Much of the data collected via web forms and paper forms duplicates information already available about staff and students in core systems. Anonymised data may be sufficient for surveys and research purposes. Consider what you are trying to achieve and whether you really need to collect personal data. Making conscious efforts to determine whether personal data is really required, and/or whether it can be obtained from existing sources, can pay dividends. For information and guidance please visit the Data Protection webpages.
Activities to be undertaken:
- Determine and document the reason for collecting the Personal Data.
- Complete the Data Protection Impact Assessment (DPIA) screening questions (Step 1 of the DPIA template) or for Research, a Data Management Plan. This will assist you in determining additional controls.
- Determine and document the lawful basis for processing the Personal Data.
- Identify all points at which Personal Data is collected. Privacy Notices outlining how the data will be processed will need to be developed and provided at these points.
- Identify any services provided directly to children.
- Identify any Personal Data used for Direct Marketing.
- Determine how consents for processing Personal Data shall be sought, recorded and maintained.
- Develop local processes to ensure that Personal Data collected are accurate, adequate, relevant and not excessive.
- Plan to undertake routine weeding of Personal Data.
For more information about data protection and information governance, please visit the Information Governance webpages.